Maybe it works?:

[Warren Togami]

I am glad to hear you got it working, but please understand this.

That script has rules for INPUT, FORWARD, OUTPUT and possibly other chains.
Your computer is NOT a firewall, and that script sets rules mainly on the
FORWARD chain.  The FORWARD chain does nothing to your ruleset because you
are not routing packets.  You made it work by fixing an INPUT chain,
possibly by removing some restricting rule.

So... yeah it works now, but only because your current rules are no
different than without the script on the INPUT and OUTPUT chains.
Everything in the FORWARD chain is doing nothing but using RAM.

Also please understand that SuSE is no different than any other Linux
distribution using the 2.4 kernel.  There is nothing "state of the art"
about it beyond being the first to release a 2.4 kernel distribution, though
the installation and configuration looks much cleaner in SuSE.  That SuSE
firewall script will run the same way in any other Linux distribution (using
a 2.4 kernel with Netfilter included).

I am curious, could you type "iptables -L" and e-mail the chains that
output?

----- Original Message -----
From: "Cyberclops" <Cyberclops at hawaii.rr.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Wednesday, April 11, 2001 10:27 AM
Subject: [luau] Re:Maybe it works?:


> Just as you posted this, I believe I have it working.  At least I
> believe this log message shows it is working.  I'm now going back over
> the SuSE firewall to eliminate as much stuff as possible to see exactly
> what made it work, and what didn't have any effect.  Then I will post
> the line that made if work for comment.  While I sure securing a system
> in a traditional manner is a good idea, I still remain a believer in the
> SuSE firewall, as my understanding is that "it is state of the art" as
> compared to previous Linux kernels.  Plus SuSE has their own way of
> doing things which is different from other Linux distributions I have
> tried.  Moreover, I like SuSE 7.1 better than any other Linux
> distribution I have tried.  To be blunt, it is the only one that has
> worked with any relative ease and actually worked.  A lot of people tout
> Mandrake as being great.  I did try Mandrake 7.0, 7.1, and 7.2.  My
> personal experience was that Mandrake 7.2 was a disappointment for many
> different reasons.  In contrast my experience with SuSE 7.1 is that
> while not being totally easy to use, it is acceptable, and best of all,
> it appears to be absolutely solid.  That's why I would like to get it
> working up to it's full potential.  One thing that's great about Linux,
> is that if you don't like one distribution, there's always another one
> to choose.  This competition among distributions is very heathy.  I just
> wish some of the self appointed experts who advocate Mandrake as being
> the best solution would give SuSE 7.1 an honest evaluation.  I have
> noticed there have been several people who state Mandrake 7.2 or (8.0
> beta) is the best, yet they seemingly have no experience with SuSE 7.1.
> Anyway please excuse me for being stubborn about SuSE 7.1.  It's just
> that I have tried many distributions at this point and have found SuSE
> 7.1 to be the best so far for my tastes.  I know their firewall works,
> so it seems to be both the simplest and easiest solution is to learn how
> to properly configure it.
>
>
>
> Apr 11 09:53:22 a24b161n139client142 ntpdate[487]: step time server
> 128.2.191.71 offset -0.002408 sec
> Apr 11 09:53:22 a24b161n139client142 xntpd[492]: ntpd 4.0.99f Mon Apr  9
> 19:30:07 GMT 2001 (1)
> Apr 11 09:53:22 a24b161n139client142 xntpd[492]: signal_no_reset: signal
> 13 had flags 4000000
> Apr 11 09:53:22 a24b161n139client142 xntpd[492]: precision = 9 usec
> Apr 11 09:53:22 a24b161n139client142 xntpd[492]: kern_enable is 1
> Apr 11 09:53:22 a24b161n139client142 xntpd[492]: using kernel phase-lock
> loop 0040
> Apr 11 09:53:23 a24b161n139client142 xntpd[492]: frequency initialized
> 0.000 from /etc/ntp.drift
> Apr 11 09:53:23 a24b161n139client142 xntpd[492]: using kernel phase-lock
> loop 0041
> Warren Togami wrote:
> >
> > On Saturday after I realized you had a single NIC, I realized what you
were
> > trying to do.  I tried to explain to you that a "firewall" is NOT what
you
> > want, especially that firewall script in particular.  Most firewall
scripts
> > like the one you are trying to make work are designed to use two network
> > interfaces, filtering traffic from the outside internet to a local area
> > network.  You do not have two network interfaces.  You are confusing the
> > need for a "firewall" with those personal firewall products for Windows
like
> > Zonealarm, Zonefree or BlackIce Defender.  These products are arguably
not
> > firewalls in a traditional sense.  They simply track and disallow
certain
> > types of packets from entering or leaving your computer, and perhaps log
> > data.
> >
> > Most users of Linux do not go to this extreme because it is simply not
> > needed.  This is a very advanced topic, the likes of which very few of
us on
> > this list have even begun to master.  I would suggest securing your
system
> > in the normal way first, learning a bit more about the services, TCP
> > wrappers, kernel configuration, Netfilter and iptables.  At that point
you
> > will understand that a "personal firewall" is NOT needed, though you can
> > easily implement rules to make one if you want.
> >
> > This is the third time I will say this: Please do not persist in trying
to
> > make this script work on your system.  This script was NOT designed to
do
> > what you want.  Please start from scratch with simple INPUT and OUTPUT
> > chains and work from there.  But first, secure your services and the
kernel
> > the normal way.
> >
> > As for the services to disable, please refer to this discussion about
some
> > services and their descriptions.
> > http://forum.mplug.org/viewthread.php3?FID=4&TID=3
> >
> > If you have any further questions please post again.
>
> ---
> You are currently subscribed to luau as: warren at togami.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
>